From c6ae6f6f25e343a67ac2146fbded765b2bec24f9 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 3 Oct 2022 11:49:26 -0400 Subject: [PATCH 1/2] feat: Also log out of apps if they are hosted on the same domain --- coderd/users.go | 48 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/coderd/users.go b/coderd/users.go index 2293aa5e8ff6b..29274044c77ff 100644 --- a/coderd/users.go +++ b/coderd/users.go @@ -1018,6 +1018,43 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) { } http.SetCookie(rw, cookie) + // Delete the session token from database. + apiKey := httpmw.APIKey(r) + err := api.Database.DeleteAPIKeyByID(ctx, apiKey.ID) + if err != nil { + httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ + Message: "Internal error deleting API key.", + Detail: err.Error(), + }) + return + } + + // Deployments should not host devurl tokens on the same domain as the + // primary deployment. But in the case they are, we should also delete this + // token. + if appCookie, _ := r.Cookie(httpmw.DevURLSessionTokenCookie); appCookie != nil { + appCookieRemove := &http.Cookie{ + // MaxAge < 0 means to delete the cookie now. + MaxAge: -1, + Name: httpmw.DevURLSessionTokenCookie, + Path: "/", + Domain: "." + api.AccessURL.Hostname(), + } + http.SetCookie(rw, appCookieRemove) + + id, _, err := httpmw.SplitAPIToken(appCookie.Value) + if err == nil { + err = api.Database.DeleteAPIKeyByID(ctx, id) + if err != nil { + // Don't block logout, just log any errors. + api.Logger.Warn(r.Context(), "failed to delete devurl token on logout", + slog.Error(err), + slog.F("id", id), + ) + } + } + } + // This code should be removed after Jan 1 2023. // This code logs out of the old session cookie before we renamed it // if it is a valid coder token. Otherwise, this old cookie hangs around @@ -1036,17 +1073,6 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) { } } - // Delete the session token from database. - apiKey := httpmw.APIKey(r) - err = api.Database.DeleteAPIKeyByID(ctx, apiKey.ID) - if err != nil { - httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ - Message: "Internal error deleting API key.", - Detail: err.Error(), - }) - return - } - httpapi.Write(ctx, rw, http.StatusOK, codersdk.Response{ Message: "Logged out!", }) From e0862596e5ae6f4bfb558e2223742a2ab79e7669 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 3 Oct 2022 12:05:13 -0400 Subject: [PATCH 2/2] Update comment --- coderd/users.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/users.go b/coderd/users.go index 29274044c77ff..17c788f72b8f2 100644 --- a/coderd/users.go +++ b/coderd/users.go @@ -1029,7 +1029,7 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) { return } - // Deployments should not host devurl tokens on the same domain as the + // Deployments should not host app tokens on the same domain as the // primary deployment. But in the case they are, we should also delete this // token. if appCookie, _ := r.Cookie(httpmw.DevURLSessionTokenCookie); appCookie != nil {